Comments to the Guidelines 06/2020 on the interplay of the Second Payment Services Directive (PSD2) 
and the GDPR 


Silent party data 


Paragraph 47 of the Guidelines suggests including technical measures to ensure that silent party data are not 
processed for a purpose other than the purpose for which the personal data were originally collected by 
PISPs and AISPs. If feasible, also encryption or other techniques must be applied. Please note that provision 
of payment initiation service would not be possible if silent party data is encrypted. Such technical measures 
are not in line with the payment initiation service as such. Instead of specifying technical measures the 
Guidelines might state that personal data collected for payment initiation service purposes may not be 
further processed in a manner that is incompatible with these purposes. 


According to the Paragraph 62 of the Guidelines, data categories that may not be necessary for the provision 
of the contract may include the identity of the silent party and the transaction characteristics. Also, unless 
required by Member State or EU law, the IBAN of the silent party’s bank account may not need to be 
displayed. The later contradicts to the Paragraphs 44-46 of the Guidelines which specify that GDPR allows 
the processing of silent party data when this processing is necessary for purposes of the legitimate interests 
pursued by a controller or by a third party (Article 6 (1)(f)GDPR). 


Processing of special categories of personal data 


Section 5.1 of the Guidelines specify that there are chances that a service provider processing information 
on financial transactions of data subjects also processes special categories of personal data. Moreover, 
through the sum of financial transactions, different kinds of behavioural patterns could be revealed, including 
special categories of personal data. We are of the opinion that even if financial transactions of data subjects 
contain special categories of personal data, the data controller does not have a purpose to process (select, 
use etc.) those data for the purpose of provision of payment initiation service, including account information 
service provision. Therefore, the Guidelines should not consider that a service provider processing financial 
transactions of data subjects also processes special categories of personal data (distinguishes them from 
other transaction data). 


According to the Paragraph 54 of the Guidelines, possibility that special categories of personal data are 
included in the personal data processed for the provision of any of the services falling under the PSD2 must 
be recognised by the service provider. Where the service provider cannot show that one of the derogations 
in Article 9 (2) of GDPR is met, the prohibition of article 9 (1) is applicable. This means that the service provider 
should screen for special category data and do not transfer such data to account information service provider 
or payment initiation service provider. We are of the opinion that such requirement is impossible to 
implement in practice. Moreover, a service provider would be in breach of provisions of PSD2 if not all data 
is provided. 


All transaction data should be accessible by the service provider. The PSD2 does not allow to select what data 
could be transferred for payment initiation service, including account information service. Please note that 
Paragraphs 55 and 56 of the Guidelines contradict to the PSD2 legal requirement to perform payment 
initiation service as such. 


Paragraph 53 of the Guidelines provides two possible derogations specified in Article 9 (2) of GDPR to 
consider in order service provider would be able to process special categories data: explicit consent given by 
the data subject (Article 9 (2) (a) of the GDPR) and substantial public interest (Article 9 (2) (g) of the GDPR). 
Consent must be obtained in accordance with certain conditions set in the GDPR, there is a doubt if it can 
meet all such requirements. If performance of a payment initiation contract depends on the GDPR consent, 
one could argue that the consent is not freely given and therefore not valid. According to Paragraph 43 of 


the Guidelines “explicit consent under the PSD2 is different from (explicit) consent under the GDPR. Explicit 
consent under Article 94 (2) of the PSD2 is an additional requirement of a contractual nature.” In our opinion, 
GDPR consent should not be the most appropriate legal ground for processing of personal data for the 
provision of payment initiation service. 

According to the Guidelines, substantial public interest (Article 9 (2) (g) of the GDPR) is another possible legal 
ground for processing of special category data for the provision of payment initiation service. This derogation 
could be applied if processing of special categories of personal data is addressed in a specific derogation in 
Union or Member State law. It should be noted that very specific law must be adopted in order the controller 
could apply this derogation. We are of the opinion that application of Article 9 (2) (g) of the GDPR depends 
on the adoption of new laws that is beyond control of a data controller, therefore now controllers cannot 
rely on the derogation in question. 


The Guidelines are not aligned with anti-money loundering (AML) laws and guidelines 


The Guidelines has not taken into consideration the specifics of AML. If service providers implement the 
requirements specified in the Guidelines (e.g. Paragraph 62-63 of the Guidelines), they will be in breach of 
AML regulation, e.g. Directive EU (2015/849 (AML Directive)) specifies that “Member States shall ensure that 
obliged entities carry out sufficient monitoring of the transactions and business relationships to enable the 
detection of unusual or suspicious transactions“. 

Paragraph 63 of the Guidelines recommends the usage of digital filters in order to support AISPs in their 
obligation to only collect personal data that are necessary for the purposes for which they are processed. For 
instance, when a service provider does not need the transaction characteristics (in the description field of the 
transaction records) for the provision of their service, a filter could function as a tool for TPPs to exclude this 
field from the overall processing operations by the TPP. 

Please note that this is not needed for a service provider, but rather for a service recipient. The later needs 
to receive account statement (including all transaction data in the statement) in one place. This requirement 
comes from PSD2. 


What is missed 


We are of the opinion that the Guidelines should recommend retention periods (what triggers retention) for 
data processing for the payment initiation services. 


Profiling of data received during provision of payment initiation service should be discussed more broadly. 
Otherwise market players might have different interpretations. This might lead to illegal data processing. 


Data subjects should be informed about data processing for payment initiation service provision, however, 
the Guidelines do not specify how and what needs to be communicated to the data subjects, including 
"representatives" of legal persons. 


